Tuesday, October 27, 2015

We the People Expect a Record


I am exhausted by all the petty infighting. I am tired of the partisan politics. Just knock it off already.  It’s nothing but wrangling between the political parties. Everyone gets it. It’s so painfully clear. Poor Hillary in another overly politicized inquisition to just tear away at her flesh and storied career.  

Our republic is great. For me it is the greatest country that has ever existed. There are some other really good ones, but America is the “cat’s meow.” Loathe to be insensitive with my last idiomatic expression, I don’t want to offend cat owners or dog lovers or people who like leashes--well you get the idea.

America is great in part because it has advanced a unique form of government with built-in checks and balances, among many other institutional protections. What that means is that one branch of government can’t push around another branch. After all, we evolved out of a polity where the king or queen held sway and the Constitutional Framers decided the monarchy wouldn’t work here.  That means that Congress can’t make war by itself and when the President can’t get his ideas passed through Congress, he can’t circumvent the process with some king-like Executive Order to frustrate the process, for example (the Iran Nuclear deal advanced through Executive Order notwithstanding).

Another unique feature of our democracy is governmental transparency. We get to see what our elected officials do or not do. They are supposed to memorialize their actions in the government record for posterity and transparency sake. Thereafter our laws, like Freedom of Information, ensure that we have an optic into governmental activities, assuming it isn’t classified. Because we don’t want just anyone seeing our classified information.

Another really great thing about America is our advancement of individual freedoms embodied in the Bill of Rights, among other places.  But it seems like sometimes when our great American values collide, we have to have a predictable way to advance the most important values of our great land.  The right to do whatever you want, whenever you want is not likely going to win especially when it’s the government at issue.

So if you are a government worker and you don’t like having a government email, too bad so sad. All employees can’t do what they want at work, including the US Government employees.  Or if you don’t like the government provided IT staff, technology choices or functionality provided to get your job done, you can’t just find a cheapo cloud provider and use their free IT email and storage services for your government work because, come on, that would undermine the whole accountability/transparency thing that made our great nation great.  But Hillary Clinton is different. She is the boss. So when she tells the entire State Department to refrain from using personal email for government work, she was talking to everyone but herself. And when she complains about managing the complexity of multiple communications devices, then she should be able to get rid of her government email all together, right? Come on, she’s the boss and should be able to use a private server located in her basement to manage US foreign affairs for all other nations because it’s just way easier for her.  And if she wants to manage state secrets through an IT provider in Colorado located in a strip mall, then she should be allowed to, because, come on, she’s the Queen Bee. Come on, this is America, “Land of the Home and Free of the Brave.”  Freedom rules. But we do not have kings and queens and that’s the really great part of our great land.

I sure wish they would stop busting Clinton’s chops over the information she sent or received via email. Even if it was classified it wasn’t marked classified so not one of the bad guys would have bothered to hack her account and read such boring stuff. (Yes, I heard the “rumor” that several foreign governments tried to hack her server, but who knows if it’s really true.)

And then there is the personal vs. government issue—you don’t think her aids know the difference between a wedding invitation discussion and an explanation of security threat in Libya and the likelihood of a major terror attack on our diplomatic presence there?  Why not let Clinton decide when she will turn over records in accordance with the Federal Records Act, because after all, transparency can happen sometime in the future—maybe after she is elected queen.  And don’t you think the Secretary of State is the best person at the State Department to know what is classified or top- secret and how to protect it. For that matter, I bet she knows best how to secure data, and between her Colorado IT shop in the mall and the NSA or Department of State security personnel, I am sure she had it all locked down and buttoned up. “Hey, can I get some help over here working my fax machine.” And why bother with the National Archives and Records Administration to decide what is a government record worth keeping when Hillary will give us what she hasn’t destroyed when she decides it’s time. 

It’s an election year and that is all this is—partisan politics. I hate the sabre rattling about the silly email security stuff.

On the other hand, if she wasn’t running for President of the United States and her former boss wasn’t the king, I wonder if Hillary would be prosecuted for her mishandling of sensitive government information the way others have been. Thank goodness for transparency and accountability.  I see myself as an Independent. I am not anti-Hillary. But this is not about Clinton or the Republican’s trying to make hay from the Benghazi tragedy. For me, it’s about making a record. I am for ensuring America’s greatness by keeping a complete record and making it open to the citizens. I am also for protecting government secrets. I am also for applying a little reasonableness to the discussion. If what Hillary did doesn’t bother you a little, perhaps you are too colored by Fall foliage or the election season. Just saying.

 

 

 

 

 

 

 

Wednesday, December 10, 2014

Another Sad Hacking Story: What Can We Learn From Sony


Sony hacked. Data stolen. Personal lives exposed. Interested in Judd Apatow’s social security number? Blah, Blah, Blah.

“The hack and subsequent posting…illustrate the risks large companies like Sony take by amassing years of digital records on employees and customers on machines connected to the Internet. Much of the data analyzed…was stored in Microsoft Excel files without password protection.” Wall Street Journal December 5, 2014

After the hundredth major information hack, you start to become immune or may be underwhelmed by the magnitude. “So what if another 47,000 personal identities got swiped.”  “So they know the personal info of Sylvester Stallone, no big deal.” 

What can we learn from our world where there is more information than ever before,  that is more connected than ever before and as a result more vulnerable to information theft than ever before? 

So here are a few truisms about the hacking reality in these times:

1.   Security breaches will happen no matter how much effort is made to ensure they don’t.
2.   Information matters. That is why criminal groups, across the globe seek to steal as much information as possible. Its business.

3.   More businesses are being more proactive as reputations hinge upon it. Information security has become central to fiscal health. Just ask Target how impactful a serious hack can be.
4.   We will become more immune to “hacking” stories, which is, in some ways good and in some ways bad.                
a.  Good, because we are not worried that the sky is failing and organizations can focus on the real business of knowing where its data resides and can lock it down better.
b.  Bad, because ignoring the huge impact that some of these hacks create maybe portend lethargy or helplessness.
5.   Security is a process not a project.  It is a marathon, not a sprint.  It is an organizational activity that requires vigilance and persistence over time.  Getting lazy means more bad results.  From a corporate governance perspective, it is like any activity that is important enough to bake into the business processes.
6.   Smart organizations continually augment the ways they manage privacy, information security, corporate trade secrets and IP.  That is because technology changes. Actions taken by criminals change. And the problem evolves, so your response needs to continually evolve to meet the new challenge.
7.   Smart organizations take action for two reasons—one, to mitigate the risk and address the harm, and two, to insulate the company from the harm caused by the attacks that get through. In other words, the good things your organization does to prevent a hack, may be used to support your company and mitigate the downside if and when your information crowned jewels are hacked.

And that brings me to Information Nation- Seven Keys to Information Management Compliance and the importance of a process to better management which serves both purposes described in paragraph 7.  Compliance methodology can save your company and act as insurance or insulation. This is why, “A corporation can act through natural persons, and it is therefore held responsible for the acts of such persons…on the other hand in certain circumstances, it may not be appropriate to impose liability upon a corporation, particularly one with a compliance program…
U.S. Dept. of Justice”  



Here are a few simple rules to help guide you:

a.    Vigilance comes from having a process, so build it or augment the existing process.
b.    Information Management Compliance is our compliance methodology that we built on the Federal Sentencing Guidelines which is the basis for most US compliance programs. Compliance methodology demonstrates what good corporate citizens do and can act to mitigate harm or insulate all together.
c.     Good corporations need to protect their reputation now more than ever by having working security programs.
d.    Combining a compliance methodology with security initiatives is something to seriously consider. That way your security program can better confront the hacking your organization most assuredly will be confronted with, as well as mitigate the damage if and when something slips through the cracks
e.    Finally, getting your company better buttoned up and protected begins with knowing where your information lives, knowing who has access to it and coding and securing it according to its value.  


The Sony hack is another wake up call. Even though, I am not sure if Sony could have stopped the intrusion no matter what security it had in place given the complexity of the hacking. But I am sure we will have many governmental organizations seeking to answer that question.  One thing I am sure of already, is that when personal information or company secrets are amassed and not locked down, they will get exposed. It’s just a matter of how often and how much impact it will have.  When PII of Hollywood figures is replicated numerous times in the data pool, perhaps without business justification, someone should be asking why so many instances of the same information and why are they not locked down? Did Sony do anything to mitigate information security risks by keeping as little as possible for as short as possible and properly locking it up?  These questions too will be addressed in due time, which most assuredly will have further impact on Sony. But for today, purposeful vigilance with a plan is the rallying cry.  Know your information, know where it resides and lock it down. Your existence may depend on it.

Thursday, December 4, 2014

Making Peace with Too Much Information, the Holiday Season and Big Ten Football

I got a late start this year. So yesterday I sent a box request to Steel Hill, our off-site storage vendor, to get my box of holiday paraphernalia.  I celebrate Christmas, I mean Hanukah, I mean Kwanza, I mean Unique Snowflake Fest. Anyway, I wanted to get my box so I can adorn my office. And that got me thinking that if everyone in my company did what I do, we would be spending loads of unnecessary dough on storing crud. And that got me thinking about how much money we could save getting rid of crud. And that got me thinking about what crud really is? And well, that got me thinking that I forgot to wish you a happy holidays. But let me come back to that in a minute.

Shockingly, this past year we were engaged many times to deal with cleaning up the boxes of crud at off-site storage vendors for big company clients.  That is significant for a few reasons. One, because companies now understand keeping unneeded information carries with it real costs. Two, even boxes of paper have become the target to save money (given that most info costs are related to electronic stuff). Three, we have been in a nearly all-electronic business world for years now, so dealing with paper now seems odd. Four, companies seemingly forgot about the boxes, but hopefully now are getting reacquainted as they get their annual bill and are asking why store crud? Five, getting rid of boxes of paper carries with it a cost which may be higher than the annual cost to keep the boxes and that reality may impact clean-up efforts.

Oh, Happy Holidays-whatever it is that you celebrate. Be safe, healthy and live joyously.  

And all that holiday sweet talk got me thinking about New Years. And that got me thinking about chicken wings. Don’t ask. And that got me thinking about New Year’s resolutions, which by the way I’m generally not a fan of. But as the old adage goes, “do as I say, not as I do”.  So please take to heart my sincere request to: Save a Tree; Go Green; Live Simply; and Create a smaller carbon footprint. Help your company clean up its crud this year. Take on the personal drives, email system, or even the boxes of curd ready for disposition.  Tis the season to “Rightsize Your Information Footprint”.  And that means get rid of your crud.  And that got me thinking about chicken wings. And that got me thinking about what cute sweater I was going to wear to the Unique Snowflake Fest party this weekend. And because my sweater is red, that got me thinking about the Wisconsin Badgers beating Ohio State this weekend.  Jump Around!


Friday, November 21, 2014

Building an Information Factory



Years ago, email burst onto the business scene to become the premier business productivity tool used at work. Not surprising, the post office immediately started to witness the precipitous decline in the number of first class business letters being sent. Revenue from first-class mail in 2000 was $91 Billion, and according to the US GAO it’s projected to be $39 Billion in 2020. Email was a game changer for which the post office didn’t have an immediate answer. The United States Post Office (USPO) tried staying open later and also tried selling non-mail related products. The USPO even allowed customized stamps to be printed at home. But in the end, the only way the USPO was going to replace the revenue lost due in large part to email use, which replaced the first class letter was with truly transformative change.  In fact, maybe there wasn’t really a viable answer. But whatever was tried was incremental in nature and insufficient to stem the bleeding that was catastrophic to the letter mailing business.

Steal this Song

Some kid had the bright idea that he could build an online network for people to share music for free, over the internet (otherwise known as Napster). Wonderful idea, unless of course you are the artists who created the music or the music companies that sell it. In either case, both the artist and music company will be directly and substantially impacted.  The music industry was ill prepared for this transformational change and started to flail immediately trying to seize control of the problem. Whether you embrace change or fight it when confronted with transformational changes will in part dictate your future. But we will come back to that in a minute.
First the Recording Industry Association (RIA) sued the creators of the various music sharing environments. Then the RIA sued select “borrowers” of the online “free” music to send a message to the rest of the snot nosed kids.  This approach didn’t address the heart of the issue and instead made the industry look like bullies. While they were trying to stop transformational change with ineffective incremental baby steps, the winners, the ones building transformational solutions, were creating new ways to build value and business around a new reality-- that music could flow fast and freely across the web.
For Apple, which figured out how to deliver and sell the music, they have been handsomely rewarded. Many artists now sell their music one song at a time through the Apple music ecosystem or elsewhere or even sell it directly to listeners from their own websites. For companies like Sony and their famed (tape-based) Walkman, the story of their decline is well documented and painful to revisit. 

The Changing Information Landscape

But this is not an article about business transformation generally. Rather, it’s an article about how global business is going to deal with an information landscape that is rapidly evolving and morphing in unpredictable ways. It’s about companies being overwhelmed by a tsunami of data routinely negatively impacting IT frameworks, storage networks, servers and employees. It’s also about more opposing laws and rules that can’t be applied or followed at the document or file level. It’s about big data demanding more information to crawl through while the corporate privacy officer is pushing for the company to keep less information to reduce overall risk.
If, in another world, information grew at 2 or 3% per year, then maybe employees could manage privacy, protect company trade secrets and handle the task of records management. But most organizations’ information footprints are growing at 25-50% per year, and that is not the only challenge they face. More company information exists outside the company firewall (or in unmanaged repositories) than ever before, making control and access a new costly complexity. There has been a proliferation of new laws and regulations dictating how organizations deal with litigation response, manage company IP, lock down personally identifiable information (PII) or personal health information (PHI), or classify records.

Dealing with the Perfect Information Storm

How does a company deal with this “Perfect Information Storm” where massive volume meets massive management complexities, which collides with burgeoning laws, all of which can result in existential consequences from mismanagement?
Every day Bob goes to work and like the day before, does exactly what he has done every other day. The products that are created look and function exactly like the ones produced yesterday, most likely boring for Bob, but predictable for the company and the factory in which Bob works. That is because the process by which the products were created was a process meant to predictably create the widget the same way, day in and day out (think Henry Ford). Behind the factory processes is the concept that building a good and repeatable manufacturing process in turn ensures that the widget or whatever is built predictably good enough, every time. The whole idea is that once the factory itself is built well there is no need to rethink the manufacturing process every time another widget is made. If I focus on making each widget by hand when I need to make scads of them, then I am committing to a process that is wrong for the task. On the other hand, if I wanted to craft a fine painting, the factory-based manufacturing process is not right for the task.

One Man’s Record is another Man’s Junk

Contrary to popular belief, information is not so unique that it requires the master artisan’s touch to manage it properly.  Even if that were true, and it’s not, that is simply no longer doable as we have too much information volume and it continues to grow. Even more importantly, if you asked 10 employees their opinion on the business value of a document, they would likely have several different CORRECT ways to manage or classify it.  It’s something like - one man’s record is another man’s junk.  Or better stated, everyone, no matter how much training they have, evaluates information differently. Not all the time, but a lot. That is because where you sit in an organization, your individual educational background, risk tolerance, understanding of the content, etc. all impact how you evaluate whether or not it’s a record, if its private, if it’s a trade secret, etc.
Compliance with laws won’t get any easier, the places data is parked won’t get fewer, and volume of information won’t get less voluminous.  Each one of those statements is game changing yet folks still wear their incremental (paper-based) information management hat limping along trying to solve a transformative problem with the wrong set of tools - Much like trying to eat an ocean sized pot of soup with a spoon.  Transformational change needs transformation solutions, not incremental ones.

So what to do?

Build an Information Management Factory.  You need to solve the problem from the top down. Looking at the individual file when there are hundreds of millions or billions of them can’t possibly work, in other words think reproducible. Think massive. Think through-put. Think practical. Think transformational.
Can or should a company even contemplate managing hundreds of millions of files with rules built for a time when there were no computers and a few dozen paper record types? The information management space is trying to solve a transformational change issue with wimpy incremental ideas whose days were numbered decades ago. Get a clue and get on the transformation bus. Employees couldn’t manage company records 10 years ago when the company information footprint was 1/100th its current size (or less). The key take-away - Rethink and rework everything.

10 Things You Must do Now to get Information Management Right?

     1.     Throw out old thinking, old policies, old ideas and tired information workers.
     2.      Hire a new IM factory “Owner.”
     3.      Build a multi-disciplinary IM Factory team.
     4.      Develop the factory build out strategy and agenda for the next 3 years.
     5.      Build an IM Factory.
     6.      Simplify rules so that all rules can be applied without much or any employee intervention.
     7.      Use automation and applications to do the “heavy lifting.”
     8.      Make certain environments “non-records” locations so that all content goes away after a couple of years no matter what.
     9.     Develop rules for every new information source upfront so end of life is predictable and contemplated.
    10.   Apply simpler rules to all environments with a specific focus on storage hogs.

Don’t forget to buy some robots.  Robots are good for everything.

Whether you embrace change or fight it, when confronted with today’s information realities, what is clear is that the problem isn’t getting any easier to solve. What is equally as clear is that you and your colleagues have not been very successful at solving it either. The reason is clear, minor incremental changes won’t solve the information management problem any more than a spoon can be used to serve up the ocean.
When faced with an exponential information growth problem, responding with incremental fixes won’t address the real issue. In other words, managing information in the current environment is unlike anything ever before as there is so much more content in so many more places which the company doesn’t have control over. It’s time for a whole new way to manage information. It is time for information management professionals to take the lead in guiding the factory in managing information.  Employees can’t and shouldn’t be expected to manage stuff anymore, they are bad at it, they don’t have time for it, and there is too much of it to meaningfully attack the issue.  Instead, build an information factory, automate as much as possible, and manage whole environments as one. Time changes and you need to revisit and rework your thinking about what works on a regular basis.

I heard a funny joke:

“How many Canadian post office employees does it take to deliver a letter?” Answer—“None as they are phasing out of home delivery because they are bleeding money”.  Ka-Boom.

Epilogue


Kahn Consulting has spent the last few years building IM factories. It’s both doable and needed. If we can do it, so can you. Get busy.

Thursday, October 30, 2014

Big Data v. Godzilla

Who Wins the Battle For The Right to Use or Kill Information


Com·pe·ti·tion: the act or process of trying to get or win something (such as a prize or a higher level of success) that someone else is also trying to get or win: the act or process of competing (Merriam Webster)

Steven Wright mused that “you can't have everything, where would you put it?” But there are many in the IT world that think otherwise. Larger companies this year will grow their Information Footprint by 25-50% on average, which is about how much their data store grew last year and the year before that. Smart business people believe this path of keeping all their information is a good thing. Some even go farther, believing that all their information is essential to effectively use analytics technology (referred to as Big Data) to connect the dots to solve business problems. That is because not only does Big Data crave, well, big data, but also because answers to important business questions may dwell within the deep recesses of unstructured data piles that may seem unimportant to the casual or even the sophisticated observer. In other words, within all sorts of Information Parking Lots dwell all sorts of valuable information nuggets that only technology can harness. Getting rid of any information is tantamount to ridding the company of a competitive advantage that comes from harvesting the business answers.

The Information Competition Becomes a Conflict

But there is a whole different group of smart business folks that look at Big Data as a big risk and liability. Sure there may be value in finding the needle in the massive information haystack, but at what costs? These people seemingly take the exact opposite position, that more is not merrier and that at some point information which is “valueless” must be disposed. Defensible Disposition or “Rightsizing Your Information Footprint” is needed for risk reduction and reducing costs. The more information the company retains, the greater the likelihood that personal customer data may be compromised or someone will successfully hack our corporate information Crowned Jewels. Or the more information the larger the e-discovery headache. Or keeping everything forever undermines the records management program. Indeed, Privacy Officers generally think the right answer is for companies to keep less information for shorter periods of time. While Big Daters think about keeping more information longer periods of time.  Core to Records Management is that records go away at the end of its period of retention no matter what, unless it’s needed as evidence in a lawsuit of investigation.  More ill managed IP means more risk of losing company trade secrets.
And the “information use” battle waging is not limited to companies trying to predict the colors customers will want next season based on past buying habits. In an October 16, 2014 Wall Street Journal Story, entitled “FBI Chief Warns Against Phone Encryption,” it makes clear that the conflict over who gets to decide how information is managed is a real life and death situation pitting privacy advocates against the government. While government uses Big Data tools to crawl and unearth terrorists, privacy advocates and some phone companies want phone data encrypted. Similarly in an article entitled, “Privacy in the Internet of Things era: Will the NSA know what’s in your fridge,” Wojtek Borowicz, points out that “we’ve already entered the Internet of Things: a world where everything is connected, with billions of devices storing and exchanging data about each other and about their users – i.e. us. As it matures, it’s going to be hugely convenient, not only to the average Joe, whose smart home will always remember to lock the door and switch the lights off, but also to huge organizations. However, one of the main concerns associated with it is the security of IoT platforms and devices. But it’s not only preventing hackers from accessing these systems we should be discussing: What about privacy, government surveillance and the creepy vision of Big Brother hiding in my smart fridge?”  http://thenextweb.com/dd/2014/10/18/privacy-internet-things-era-will-nsa-know-whats-fridge/

So Who Wins and Who Loses in This Conflict?

We find ourselves in an information Olympics where the best of the best of every information use and misuse is congregating to duke it out, though they may not even know it. The Big Data team is trying to tie together disparate chunks of information to answer business questions, while the storage guy screams, “No Mas”.  I think the business people win. I think Big Data wins where it adds value. But that said, I believe that maybe making the seemingly divergent interests of information use can be accommodated. Either way, we will see soon enough. But for now, conflict or competition, information is being used for different purposes by different sides of the company and this new reality needs management attention ASAP.


Tuesday, October 7, 2014

Kahn's 8 Steps to Defensible Disposition Nirvana





1. Define a reasonable diligence process to assess the business needs and legal requirements for continued information retention and/or preservation, based on the information at issue.
2. Select a practical information assessment and/or classification approach, given information volumes, available resources, and risk profile.
3. Develop and document the essential aspects of the disposition program to ensure quality, efficacy, repeatability, auditability, and integrity.
4. Develop a mechanism to modify, alter, or terminate components of the disposition process when required for business or legal reasons.
5. Assess content for eligibility for disposition, based on business need, record retention requirements, and/or legal preservation obligations.
6. Test, validate, and refine as necessary the efficacy of content assessment and disposition capability methods with actual data until desired results have been attained.
7. Apply disposition methodology to content as necessary, understanding that some content can be disposed with sufficient diligence without classification.
8. On an ongoing basis, verify and document the efficacy and results of the disposition program and modify and/or augment the process as necessary.

Thursday, June 12, 2014

The path to hell is paved with good intentions.

I am not sure I have any good way to say what I am about to say. And in fact, I am so trepidatious that I have to couch my commentary in verbiage subterfuge. I am not spineless, but just don’t want to create a bunch of enemies with my cohort. So here goes. I am certain you will get my point even if I hide the true identities of the offending parties to protect the innocent and/or guilty.
Assume for a moment that an international information association, decided that the industry and more specifically companies needed a way to assess if they had a mature information management program.  So the organization got a bunch of their folks together to develop criteria by which they should evaluate if their program was good enough to pass muster. And let’s say after much talking and thinking they settled on an information management Maturity Model and related criteria.

Recently, a client of ours had us look at their self-assessment of their information management program using one such Maturity Model Best Practice self-assessment tool. (The client is now considering having us perform a new Gap Assessment).  It is one of my favorite clients and it’s a great company that does so much right. So when I reviewed their self-assessment, I was stupefied. They used the information management’s organizations Maturity Model criteria and concluded they were seriously substandard. I totally disagreed with most of the conclusions of the assessment. I am not going to lay out why I think the various criteria are flawed in total, but let me give you an example to make my point. One of the criteria by which this company evaluated itself according to the self-assessment was information “integrity”. Based upon how the assessment MADE the client answer the questions, they got a flunking grade.  I told my client given what I knew about their business processes and IT framework, that on the information integrity scale I would give them a Rhodes Scholar type grade—at least an “A”.  SO why such a disconnect?
I get the whole thing about “one man’s hot is another man’s cold” but this is not about perception. It is about the criteria and maturing the process and still utterly failing even if what you have done is at least good enough.  From my humble perspective, the evaluative criteria are aspirational, not functionally helpful, impracticable and may sell your company unfairly down the river. BOOM! I believe it sets up companies to fail that use the self-assessment, on criteria that are not really central to success. Every organization would be flagging miserably if put under the assessment’s microscope. And that’s just not the way it should be.

Which bring me to the PG&E San Bruno disaster and how industry “best practices” evaluations can be helpful at fixing failings and can also provide the basis for regulators to whack companies for failing to properly manage records, among other things. The tragedy was horrible. The loss of life and property is unthinkable. And the company may have had records management failings. But look close enough at any company and most organizations fail miserably. See the report at the following link. http://www.cpuc.ca.gov/NR/rdonlyres/23513DF5-28CB-425B-BAE4-0151981F0779/0/CPSD_Recordkeeping_OII_Report_Final.PDF

There are lots of information management industry standards, best practices, evaluations from all sorts of organizations. There is some terrific guidance and there are some downright damaging unattainable “best practices”. I’m sure all comes into being with great intentions. But massaged, manipulated and maneuvered by lawyers and a good company begins to smell dirty. 

We developed a methodology called “Information Management Compliance” for evaluating the “goodness” of your Information Governance Program which has been used by so many companies.  I borrowed the criteria from the Federal Sentencing Guidelines, which help judges evaluate what is good corporate behavior. I figured if the court will evaluate your company by the criteria, that you should build your program according to the criteria. (This is also the topic of “Information Nation-Seven Keys to Information Management Compliance”, See also http://www.arma.org/bookstore/files/Kahn.pdf.

Look close enough at any company’s information management practices and you will find flaws. Lawyers are in the business of exploiting flaws. I don’t need to give them material to work with that isn’t even real. So companies, evaluate carefully, document thoughtfully and pick criteria by which you evaluate circumspectly. Just saying.


Randolph Kahn, ESQ.